Java – how do i disable pop-up form based login for restful endpoints?
I use spring security configuration based on forms and authentication, according to auto config = 'true'
I hope that the endpoint under / API / * * will not use form based security/ Endpoints other than API / * * should use form - based login I want a 401 response sent to any endpoint that does not provide credentials under / API / *
Update: thanks for Luke Taylor's comments below. I have proposed the following solutions
Note: this technique can only be used in spring safety 3.1
First I'm single / API / * * We never create a session, but use a session, if available, by creating session = "never" and using < session management / & gt
<http pattern="/api/**" create-session="never" use-expressions="true"> <http-basic /> <session-management /> <intercept-url pattern="/api/**" access="hasRole('API_ACCESS')"/> </http> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/" access="permitAll"/> <intercept-url pattern="/**" access="isAuthenticated()"/> </http>
Solution
With spring security 3.1, your best choice is to split the rest and non rest parts of the application into separate filter chains by using two separate < HTTP > Element The rest API chain can then be configured to be stateless and use basic authentication, while the default chain can use the normal form login configuration
Then you will have the following things:
<http pattern="/api/**" create-session="stateless"> <intercept-url pattern="/api/**" access="ROLE_API_USER" /> <http-basic /> </http> <!-- No pattern attribute,so defaults to matching any request --> <http> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login /> </http>
The chain definition must be sorted from the most specific mode to the most common, so the default chain is the last